# frozen_string_literal: true

require 'spec_helper'

RSpec.describe 'Query.vulnerability(id)', feature_category: :vulnerability_management do
  include GraphqlHelpers

  let_it_be(:project) { create(:project) }
  let_it_be(:current_user) { create(:user).tap { |user| project.add_developer(user) } }
  let(:vulnerability_params) { { id: global_id_of(vulnerability) } }
  let(:query) { graphql_query_for('vulnerability', vulnerability_params, vulnerability_fields) }

  before do
    stub_licensed_features(security_dashboard: true)
    post_graphql(query, current_user: current_user)
  end

  describe 'query all fields' do
    let(:vulnerability_fields) { all_graphql_fields_for('Vulnerability', max_depth: 1, excluded: %w[dismissalReason]) }

    Vulnerabilities::Finding.report_types.each_key do |report_type|
      context "for a #{report_type} vulnerability" do
        let_it_be(:vulnerability) { create(:vulnerability, :with_finding, project: project, report_type: report_type) }

        it_behaves_like 'a working graphql query that returns data' do
          it 'returns the vulnerability' do
            expect(graphql_data.dig('vulnerability', 'id')).to eq "gid://gitlab/Vulnerability/#{vulnerability.id}"
            expect(graphql_data['vulnerability'].keys).to match_array(vulnerability_fields.to_h.keys)
          end
        end

        context 'with an unauthenticated client' do
          let_it_be(:current_user) { nil }

          it_behaves_like 'a working graphql query that returns no data'
        end
      end
    end
  end
end
